Reputation: 165
limit network access to private endpoint of storage account from a specific azure function when vnet integration enabled
This is the situation:
- 1 app service plan with 2 azure functions, function A and function B, both with the same subnet vnet integration enabled
- 1 subnet with a storage account and private endpoint enabled
In the current situation the network traffic from both function apps can access the private endpoint of the storage account because of the vnet integration.
Is it possible to allow outbound traffic only from function A to the storage account? I don't want to use the service tag in a ngs rule because then both function apps are allowed.
Upvotes: 0
Views: 248
Answers (1)
Reputation: 806
This isn't easily attainable with your setup. Both functions share the same pool of IPs from the subnet you're using for vnet injection, so you'll have a difficult time firewalling them from the network perspective.
If you want network isolation, then deploy a separate subnet, and move function B to a new app service plan that has vnet integration enabled on the new subnet. Then you can setup an NSG to block access.
Upvotes: 1
Related Questions
- Deploy to Function App with Access Restrictions and vNet Integration
- Do I require vnet integration for private outbount traffic - Azure API management
- Multiple subnets in vnet needing access to same storage account via Private Endpoint/Service Endpoint
- Azure function can not access key vault within VNET- Public network access is disabled
- Accessing Azure Storage Account using private endpoints and Vnet Integration from an Azure Function (app )
- Request originated from VNET through service endpoint. This is blocked by your Cosmos DB account firewall settings
- Function App with Vnet integration and Private Endpoint -> Server Response: Service Unavailable
- Limiting access to Storage Account from Azure Function Subnet